Facebook Alleged to Have Exposed Sensitive Health Information Shared in Closed Groups

by

The FTC received a complaint that was submitted concerning Facebook’s misleading practices. The complaint claims that health-related information disclosed in closed, purportedly anonymous and non-public Facebook groups has been compromised.

Congress is asking Facebook to give answers regarding the purported privacy violations concerning the Facebook PHR (Groups) system. The House Committee on Energy & Commerce leaders have written to Facebook CEO Mark Zuckerberg asking for an urgent reply to the privacy issue that users of Facebook Groups filed with the FTC.

Security researcher Fred Trotter and a Facebook health group members submitted the complaint to FTC in December but FTC only made it open to the public this week. The complaint letter states that personal health information (PHI) the users of closed Facebook groups share had been compromised. As a result, members of the groups are prone to discrimination and harassment.

People with health and mental health issues use closed Facebook groups to obtain support. Members of the Facebook groups are provided a safe place to talk about their problems. Highly sensitive data is frequently disclosed knowing that they are kept private and anonymous. It is alleged in the complaint that Facebook is actively encouraging the use of closed groups as a way for patients to discuss their health info and get help for medical conditions.

Groups users have disclosed information concerning positive HIV diagnoses, sexual histories, particulars of past sexual abuse, substance abuse issues, and a variety of health and mental health ailments.

The groups are meant to be private and anonymous and are usually promoted as such. One example group is the Affected by Addiction Community Facebook Group, which says that the group is private and so postings will not be seen by people outside the group. Many other groups are specified in the complaint and some are actively advertised by Facebook, even if privacy isn’t certain. The data policy of Facebook says that data posted on its platform may be shared with other people in and out of its platform. The claim that the groups are private and anonymous is a misrepresentation.

Facts shared in these groups, which include personal health data, is disclosed to advertisers. There have been a lot of incidents of displaying advertisements related to possible treatments for medical problems that were only discussed in closed groups.

Facebook is not restricted by HIPAA Rules, therefore the sharing of any personal information with advertisers does not constitute a HIPAA violation. Nevertheless, Facebook needs to comply with FTC Rules: and Facebook is alleged to have violated these Rules.

Besides sharing information with advertisers, the complaints question the security of Facebook Groups. One member of a closed health group stated she could get a listing of all members of the group using a Chrome web browser extension known as grouply.io. Trotter, whom the member informed, was also able to download the real names of 10,000+ members of a private group, their email addresses, the city location of members, and employers of females who took part in the group. In this case, the members were identified as having the BRCA cancer mutation.

Trotter explained in the complaint that considering Facebook is promoting the groups for disclosing health data the groups should be regarded as a personal health data and regulated as such by the FTC. Part of the terms for personal health information is the reporting of data breaches. Although Facebook was informed regarding the file download and data breach, Group members were not notified.

There’s a serious problem with the implementation of Facebook’s privacy. Allowing the sharing of posted personal health information is a violation of the law. This presents a risk of death or serious injury to Facebook users. Facebook has been ignoring and denying the issues identified by the leaders of the Energy and Commerce Committee. The unfair, deceptive and misleading interactions between Facebook and its users violates the FTC Act.

The committee leaders have requested a briefing from Facebook by March 1, 2019 regarding how Facebook gathers personal information and synthesize those data into suggestions of pertinent medical problem support groups. Another issue is the labeling of these groups as closed or anonymous, which potentially tricked Facebook users into joining the groups and disclosing more of their private info than they otherwise would have shared.
.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]